aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

fix(core): respect host-stack permissions boundary for ref-time custom resource roles

Open jstephenson opened this issue 9 months ago • 1 comments

Issue # (if applicable)

Closes #30179

Reason for this change

The permissions boundary applied to a stack is not propagated to roles created by custom resources where these enter the assembly at reference-resolution time. Examples of this are cross-stack references and references to list values which must be JSON stringified.

Presently various custom-resource-backed CDK features cannot be deployed into environments which require a permissions boundary on workload-created roles.

Please see my comment on the issue for a bit more detail.

Description of changes

This change exposes the PB assigned to a stack and uses this to apply a custom resource's host stack PB to its roles.

The change is straightforward but it changes the API surface of Stack, and as such I propose this as a solution sketch and do not expect it to be accepted in its current form. I am not sufficiently familiar with the design of the codebase to know where best to solve this, though, so would welcome contributor/maintainer views.

Some thoughts:

  • PermissionsBoundary is accepted by Stack as a prop as it stands. Perhaps this could be returned from a public field on Stack and plumbed into the proposed solution instead.
  • The ARN calculation logic in Stack could be factored out to somewhere else and used in both places

Describe any new or updated permissions being added

None. Existing PB configuration now respected, however.

Description of how you validated changes

Simple unit tests added

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

jstephenson avatar Feb 16 '25 11:02 jstephenson

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: d47b3cf90a3a4265fd450c7921190cf4eaf2f571
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

aws-cdk-automation avatar Mar 07 '25 17:03 aws-cdk-automation